TweetDeck Hacked—Panic (And Rickrolling) Ensues

Image: Courtesy of TweetDeck

TweetDeck, the popular application for managing Twitter feeds that is operated by Twitter itself, announced that it was temporarily disabling its service after a number of accounts were affected today by hackers who exploited a vulnerability in the service.

TweetDeck attributed the problem to a cross-site scripting vulnerability, which allows an attacker to execute malicious code on a victim’s system generally by injecting the code into legitimate web pages in order to infect browsers and applications that visit or interact with the page.

Cross-site scripting vulnerabilities are often used by criminal hackers to quietly distribute malware that steals banking credentials or other sensitive data.

In this case, however, the effect was limited in that the vulnerability appeared to only allow someone in a TweetDeck user’s Twitter timeline to send JavaScript in a tweet that would execute arbitrary pop-up messages on the user’s screen or distribute Tweets like a worm by causing their account to automatically re-Tweet messages.

Pop-up messages yelling “Yo!”, “HACKED” and the RickRoll classic “NEVER GOING TO GIVE YOU UP, NEVER GOING TO LET YOU DOWN” appeared on the screens of TweetDeck users to broadcast the breach. Other Twitter users had strange retweets sent from their accounts.

Those affected included @NYTimes and @BBCBreaking, whose accounts were among some 30,000 Twitter feeds that inadvertently retweeted a script, with a heart symbol at the end of it, that appeared to come from @derGeruhn.

Update 12:30 PST An Austrian teen has claimed credit for uncovering the bug and for inadvertently causing others to exploit it. The 19-year-old, who would only identify himself to CNN as Florian and appears on Twitter as Firo XI, says he discovered the vulnerability when he tried to send a ♥ symbol in a Tweet and discovered that he could get accounts to share his message automatically. The teen says he notified Twitter about the vulnerability but before the company could patch it, other users had already discovered the issue through Florian’s tweet, which had by then gone viral, and begun to exploit it.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.